Posts

The following blog was written while working for CrowdStrike. It is available at https://www.crowdstrike.com/blog/blurring-of-commodity-and-targeted-attack-malware/.
As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging. While some malware still has a feature-specific design such as DDoS tools or spam bots, it is becoming increasingly common for malware to have multiple uses for different missions. Recent banking trojans for example are likely to support remote access, which is not typically required to deliver web injects and steal credentials.

The following blog was written while working for CrowdStrike. It deals with the developments and the propagation of exploits surrounding CVE-2014-1761, a code execution vulnerability in Microsoft Word that was also leveraged in targeted attacks. The post shows how the events unfolded and shows which actors used exploits for the vulnerability at which point in time.

The following blog was written while working for CrowdStrike. It deals with a characteristic code invocation technique on 32-bit Windows that was discovered while analyzing malware linked to a targeted intrusion attributed to the VENOMOUS BEAR/Turla actor. The invocation technique leverages the window class “Shell_TrayWnd” to get a handle to explorer.exe, and uses SetWindowLong() to set a function pointer in extra window memory to the beginning of the injected shellcode.

While most of the stuff we analyze is Windows malware, when it comes to implementing detection or analysis approaches, we surely turn to GNU/Linux. One of the best tools I stumbled upon when it comes to profiling, i.e. analyzing the execution performance of C code under Linux is perf. Since most of the time we have to develop code that has to run fast, especially when dealing with carrier-grade network links of 10 GbE, profiling is inevitable.

As part of our research on botnets, we developed recognition techniques for botnet command and control flows, such as CoCoSpot. Obviously, we use these techniques to track C&C channels and their activities. Throughout our analysis period of more than three years, we have seen several botnets come and go. Some botnets have faced dedicated takedowns, such as Rustock, Mariposa, Mega-D, Kelihos and Pushdo, while others cease without further ado.

While malware comes in many different flavors, e.g., spam bots, banking trojans or denial-of-service bots, one important monetization technique of recent years is rogue software, such as fake antivirus software (Fake A/V). In this case, the user is tricked into spending money for a rogue software which, in fact, does not aim at fulfilling the promised task. Instead, the rogue software is malicious, might not even have any legitimate functionality at all, and entices the user to pay.

A defining characteristic of a bot is its ability to be remote-controlled by way of command and control (C2). Typically, a bot receives commands from its master, performs tasks and reports back on the execution results. All communication between a C2 server and a bot is performed using a specific C2 protocol over a certain C2 channel. Consequently, in order to instruct and control their bots, bot masters ‐ knowingly or not ‐ have to define and use a certain command and control protocol.

ARP, the address resolution protocol, is used on an Ethernet network to map IP addresses to hardware (MAC) addresses. By default, a Linux box with several network interfaces will respond to ARP requests received on any interface for any of the IP addresses of its interfaces. Here is an example: Let’s assume we have a box which is connected with two interfaces A (MAC 00:00:00:AA:AA:AA) and B (MAC 00:00:00:BB:BB:BB). Interface A is configured to the IP address 172.

DNS as carrier for botnet C&C seems to be getting popular. Concerning its usage as botnet C&C, DNS has not been seen so far. Additionally, in typical network environments, DNS (at least when destined for the preconfigured DNS resolvers) is usually one of the few protocols – if not the only one – that is allowed to pass without further ado. Thus, botnets using DNS as C&C benefit from the fact that currently there is no specifically tailored detection mechanism, which in turn, raises the probability for the botnet to remain undetected.

On Thursday 11/11/2008, the US company McColo (AS26780) got cut off the Internet. McColo has been known for some doubtful activities - some say that McColo is responsible for as much as 75% of all spam sent on the Internet. These activities have stopped instantly as McColo got disconnected. I looked into this at our blacklist mirror. Since Thursday evening (2200 local time CET), the total number of requests on the blacklist are much lower than on the previous days.